These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
A cross-site scripting (XSS) vulnerability exists in Joomla! due to inadequate input filtering within the HTML filter's cleanAttributes code. The flaw allows attackers with high privileges to inject malicious scripts through insufficiently sanitized content, potentially compromising user sessions or executing unauthorized actions in victims' browsers. The vulnerability affects Joomla! versions 3.0.0 throu [truncated]
A privilege escalation vulnerability exists in Joomla's com_users component, specifically within the group editing webservice endpoint. The improper access check allows unauthenticated or lower-privileged actors to escalate privileges by manipulating group assignments through the webservice API. The vulnerability affects Joomla 4.0.0 through 5.4.5 and 6.0.0 through 6.1.0. The CVSS 4.0 vector indicates net [truncated]
A cross-site scripting (XSS) vulnerability exists in Joomla! Framework due to inadequate content filtering within the checkAttribute methods. The flaw affects Joomla! versions from 3.0.0 through 5.4.5 and from 6.0.0 through 6.1.0. An attacker with high privileges can exploit this vulnerability to inject malicious scripts, potentially compromising user sessions or performing unauthorized actions. The CVSS [truncated]
## Summary CVE-2026-48902 describes a transport-layer security downgrade in Joomla's password and username reset functionality. When the application generates reset links, it produces plain HTTP URLs even for HTTPS connections unless an administrator has explicitly enabled the
CVE-2026-48901 describes a vulnerability in the `InputFilter::getInstance()` method where a security-sensitive parameter was omitted from the instance cache key construction. This flaw could allow improper cache reuse across different security contexts, potentially leading to security boundary violations in input filtering operations. The vulnerability was published on 2026-05-26 and is currently undergoi [truncated]
A medium-severity improper access control vulnerability in Joomla's scheduler component (com_scheduler) allows low-privileged users to modify task types of existing scheduled tasks. The flaw stems from incorrect access checks in the task type editing functionality. Affected versions include Joomla 4.1.0 through 5.4.5 and 6.0.0 through 6.1.0. The vulnerability was disclosed by Joomla's security team on May [truncated]
A medium-severity improper access control vulnerability in Joomla's com_users batch task allows authenticated users with limited privileges to escalate their permissions. The flaw exists in the sample data plugins component where access checks are incorrectly implemented during batch operations. Joomla versions 4.0.0 through 5.4.5 and 6.0.0 through 6.1.0 are affected. The vulnerability was disclosed by th [truncated]
An improper access control vulnerability in Joomla's com_users batch task allows unauthenticated attackers to escalate privileges. The flaw exists in the batch processing functionality of the user management component, where missing authorization checks permit unauthorized privilege modifications. Affected versions include Joomla 4.0.0 through 5.4.5 and 6.0.0 through 6.1.0. The vulnerability was disclosed [truncated]
A high-severity authentication bypass vulnerability in Joomla Core allows attackers to circumvent multi-factor authentication (MFA) checks due to insufficient state validation. The flaw, published 2026-05-26, carries a CVSS 4.0 score of 8.2 (HIGH severity) with a vector indicating network attack vector, low attack complexity, no privileges required, and high impact to integrity. The vulnerability stems fr [truncated]
CVE-2026-48896 is a HIGH severity vulnerability (CVSS 8.2) in Joomla! Core related to insufficient state checks that enable two-factor authentication (2FA) bypass. The vulnerability was published on 2026-05-26 and is currently undergoing analysis by NVD. The issue stems from improper authentication (CWE-287) where state validation failures allow attackers to circumvent MFA protections. Joomla! has publish [truncated]
A path traversal vulnerability exists in the com_media files API endpoint due to improper validation of the search parameter. The vulnerability allows an attacker with high privileges to read arbitrary files on the system. The issue is rated MEDIUM severity with a CVSS score of 5.9. The vulnerability was disclosed by the Joomla! Security Strike Team and affects Joomla! CMS core. The weakness is classified [truncated]
An improper validation of user-supplied input leads to a local file inclusion vulnerability.
An improper access control vulnerability in Joomla's com_config webservice endpoints allows unauthorized access to configuration management functions. The vulnerability stems from insufficient authorization checks on webservice API endpoints, enabling authenticated users with elevated privileges to bypass intended access controls. The CVSS 4.0 vector indicates network attack vector with low attack complex [truncated]
## Summary CVE-2026-35222 is a SQL injection vulnerability in the `com_tags` component of Joomla! CMS. The flaw stems from improperly validated `order` clauses, allowing authenticated attackers to manipulate SQL queries. The vulnerability is rated **MEDIUM** severity with a CVSS score of **6.9** (CVSS 4.0 vector: `AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N`). ## Affected Product - **Vendor:** Joomla! (identi [truncated]
A SQL injection vulnerability exists in the Joomla com_finder component due to improperly constructed filter clauses in search queries. The vulnerability requires authenticated access and has been assigned a CVSS 4.0 score of 6.9 (MEDIUM severity). The issue was disclosed by the Joomla Security Centre on May 6, 2026, and subsequently published in the NVD on May 26, 2026. The vulnerability is classified as [truncated]
A Cross-Site Request Forgery (CSRF) vulnerability exists in the admin user activation endpoint of the Joomla com_users component. The flaw stems from missing CSRF token validation, allowing an attacker to trick an authenticated administrator into performing unintended user activation actions via a malicious web page or link. The CVSS 4.0 vector indicates network attack vector with low attack complexity, r [truncated]
A stored cross-site scripting (XSS) vulnerability exists in Joomla's com_content component due to insufficient output escaping in readmore links. The flaw, assigned CVSS 4.0 score 6.9 (Medium), allows an authenticated attacker with high privileges to inject malicious scripts that execute in the context of users clicking affected readmore links. The vulnerability was disclosed by the Joomla Security Strike [truncated]
A stored cross-site scripting (XSS) vulnerability exists in the content history component of Joomla! Core. The flaw stems from insufficient output escaping, allowing an attacker with high privileges to inject malicious scripts that execute in the context of another user's browser session. The vulnerability was disclosed by the Joomla! Security Strike Team and is currently undergoing analysis in the Nation [truncated]
A stored cross-site scripting (XSS) vulnerability exists in the multilingual associations component (com_associations) of Joomla! CMS due to insufficient output escaping. The vulnerability allows authenticated administrative users to inject malicious scripts that execute in the context of other users' browsers. The CVSS 4.0 vector indicates network attack vector with low attack complexity, requiring high [truncated]
CVE-2026-25900 is a cross-site scripting (XSS) vulnerability in Joomla core feed modules, published 2026-05-26. The vulnerability stems from lack of output escaping, allowing crafted input to execute scripts in a victim's browser. CVSS 4.0 vector indicates network attack vector with low attack complexity, requiring high privileges and user interaction, with high confidentiality impact and low integrity/av [truncated]
